PyPI is the world’s largest platform for open-source Python packages. The organization suspended new user registrations and barred existing users from uploading new projects over the weekend due to an unmanageable flood of malicious code.
In an announcement posted on the PyPI status page, the organization said that the volume of malicious users and malicious projects being created on the index had outpaced their ability to respond to it in a timely manner. As a result, they decided to “re-group over the weekend”. By Sunday evening (around 10 PM UTC) the suspension had been lifted.
Supply chain attacks are all too common these days, making repositories for open-source software an attractive target for cybercriminals and hackers. Companies often incorporate open-source software into their products, giving malicious actors the opportunity to sneak malicious packages into the repository, potentially compromising not just the product they’re building, but their entire network and infrastructure.
Malicious actors usually engage in “typosquatting” to achieve this – creating bogus packages with names similar enough to existing packages for developers to mistakenly choose the wrong one. They might also try to generate fake reviews and inflate download numbers with the help of bots and AI.
PyPI has been the target of multiple cyberattacks this year, the most recent of which occurred during the weekend in question. Cybercriminals likely attempted to install infostelaers, which can help them steal credentials and access valuable company assets.
It is worth noting the PyPI team and the numerous volunteers who are working hard to maintain the security and trustworthiness of the platform and its contents. Their dedication helps Python developers safely access the open-source components they depend on for developing secure and efficient products. The team of PyPI have also implemented several measures to make sure malicious packages don’t make it to the repository itself.
